SlideShare a Scribd company logo
DONATO ONOFRI, SR. RED TEAM ENGINEER
EMANUELE CALVELLI, THREAT RESEARCH ENGINEER
HIJACKLOADER EVOLUTION:
INTERACTIVE PROCESS HOLLOWING
AGENDA
▪ HijackLoader
▪ Process Hollowing
▪ Interactive Process Hollowing
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
HIJACKLOADER
▪ Described for the first time Summer 2023
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
▪ Aka IDAT Loader: it use a
sophisticated shellcode
loading mechanisms by
hiding in downloaded PNG
HIJACKLOADER
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
▪ Malware used as first stage on initial access mainly for evasion and loading of
malicious tool like Info Stealer, Remote Access Tool, CobaltStrike, etc.
HIJACKLOADER – EXECUTION CHAIN
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
HIJACKLOADER – EXECUTION CHAIN
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Today we focus on step 3
HIJACKLOADER
▪ https://www.crowdstrike.com/blog/hijackloader-expands-techniques/
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
PROCESS HOLLOWING
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
https://attack.mitre.org/techniques/T1055/012/
PROCESS HOLLOWING
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
PROCESS A PROCESS B
Create Suspended Process
PROCESS A
Allocate & Write Shellcode
PROCESS B
PROCESS A
Modify Instruction Pointer
PROCESS B
PROCESS A executed Injected Shellcode in PROCESS B
PROCESS A
Resume from Suspension
PROCESS B
HIJACKLOADER HOLLOWING VARIATION:
INTERACTIVE PROCESS HOLLOWING
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
HIJACKLOADER
Create Process NOT Suspended!
Allocate & Write Shellcode
Suspend
Resume from Suspension
HIJACKLOADER
HIJACKLOADER
HIJACKLOADER
CMD.EXE
CMD.EXE
CMD.EXE
CMD.EXE
HIJACKLOADER
Modify Instruction Pointer
CMD.EXE
NOTHING HAPPEN!
STDIN redirected to a Pipe
INTERACTIVE PROCESS HOLLOWING++
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
HIJACKLOADER
Create Process NOT Suspended!
Allocate & Write Shellcode
HIJACKLOADER
CMD.EXE
CMD.EXE
HIJACKLOADER
Modify Instruction Pointer
CMD.EXE
Write rn to the STDIN PIPE
HIJACKLOADER CMD.EXE
STDIN redirected to a Pipe
INTERACTIVE PROCESS HOLLOWING++
1. Create Process: spawning the cmd.exe process to inject the malicious code by
redirecting STDIN and STDOUT to pipes. Notably, this process isn’t suspended, making it appear less
suspicious.
▪ Cmd.exe waits to read input from the STDIN pipe: the NtReadFile syscall sets its main thread’s state
to Waiting and _KWAIT_REASON to Executive, signifying that it’s awaiting the execution of kernel code
operations and their return.
2. Allocate and Write Shellcode: This is where the shellcode is written into the cmd.exe child process.
3. Modify Instruction Pointer: HijackLoader sets the conditions to redirect the execution flow of
the cmd.exe child process to the previously written shellcode’s address by modifying the EIP/RIP in
the remote thread CONTEXT.
4. Write to the STDIN PIPE: Here, data is written to the STDIN pipe, sending an input to
the cmd.exe process. This action resumes the execution of the child process from
the NtReadFile operation, thus triggering the execution of the shellcode.
▪ Before returning to user space, the kernel is reading and restoring the values saved in
the _KTRAP_FRAME structure (containing the EIP/RIP register value) to resume from where the syscall was
called.
▪ By modifying the CONTEXT in the previous step, the loader hijacks the resuming of the execution toward the
shellcode address without the need to suspend and resume the thread, which this technique usually
requires.
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
INTERACTIVE PROCESS HOLLOWING++
▪ Create Process: spawning
the cmd.exe process to inject the
malicious code by
redirecting STDIN and STDOUT to
pipes. Notably, this process isn’t
suspended, making it appear less
suspicious.
▪ Cmd.exe waits to read input from
the STDIN pipe:
the NtReadFile syscall sets its
main thread’s state
to Waiting and _KWAIT_REASON t
o Executive, signifying that it’s
awaiting the execution of kernel
code operations and their return.
INTERACTIVE PROCESS HOLLOWING++
▪ Write to the STDIN PIPE: Here, data is
written to the STDIN pipe, sending an
input to the cmd.exe process. This
action resumes the execution of the
child process from
the NtReadFile operation, thus
triggering the execution of the
shellcode.
▪ Before returning to user space, the
kernel is reading and restoring the
values saved in
the _KTRAP_FRAME structure
(containing the EIP/RIP register
value) to resume from where the
syscall was called.
▪ By modifying the CONTEXT in the
previous step, the loader hijacks the
resuming of the execution toward
the shellcode address without the
need to suspend and resume the
thread, which this technique usually
requires
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FALCON ®
▪ CrowdStrike employs a layered approach for malware detection using machine
learning and indicators of attack (IOAs).
▪ the CrowdStrike Falcon® sensor’s machine learning capabilities can automatically
detect and prevent HijackLoader in the initial stages of the attack chain; i.e., as soon
as the malware is downloaded onto the victim’s machine.
▪ Moreover, behavior-based detection capabilities (IOAs) can recognize malicious
behavior at various stages of the attack chain, including when employing tactics like
process injection attempts.
“Dark magic leaves traces..”
(Albus Dumbledore)
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FALCON
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FALCON
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THANK YOU
©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Questions?

More Related Content

Similar to HijackLoader Evolution: Interactive Process Hollowing

Taming the Tiger: Tips and Tricks for Using Telegraf
Taming the Tiger: Tips and Tricks for Using TelegrafTaming the Tiger: Tips and Tricks for Using Telegraf
Taming the Tiger: Tips and Tricks for Using Telegraf
InfluxData
 
Container orchestration from theory to practice
Container orchestration from theory to practiceContainer orchestration from theory to practice
Container orchestration from theory to practice
Docker, Inc.
 
15LLP108_Demo4_LedBlinking.pdf1. Introduction In D.docx
15LLP108_Demo4_LedBlinking.pdf1. Introduction In D.docx15LLP108_Demo4_LedBlinking.pdf1. Introduction In D.docx
15LLP108_Demo4_LedBlinking.pdf1. Introduction In D.docx
felicidaddinwoodie
 
Kubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on KubernetesKubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on Kubernetes
Jeffrey Holden
 
Networks lab
Networks labNetworks lab
Networks lab
svijiiii
 
Networks lab
Networks labNetworks lab
Networks lab
svijiiii
 
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...
Nagios
 
Using idoc method in lsmw
Using idoc method in lsmwUsing idoc method in lsmw
Using idoc method in lsmw
Konstantinidis Antonis
 
Spinning your Drones with Cadence Workflows and Apache Kafka
Spinning your Drones with Cadence Workflows and Apache KafkaSpinning your Drones with Cadence Workflows and Apache Kafka
Spinning your Drones with Cadence Workflows and Apache Kafka
Paul Brebner
 
Power ai image-pipeline
Power ai image-pipelinePower ai image-pipeline
Power ai image-pipeline
Paulo Sergio Lemes Queiroz
 
Install Project INK
Install Project INKInstall Project INK
Install Project INK
IshanJoshi36
 
Interoute Virtual Data Centre api 101
Interoute Virtual Data Centre api 101Interoute Virtual Data Centre api 101
Interoute Virtual Data Centre api 101
jon_graham1977
 
7 hands on
7 hands on7 hands on
7 hands on
videos
 
Dns rebinding
Dns rebindingDns rebinding
Dns rebinding
AlaJebnoun
 
Performance measurement and tuning
Performance measurement and tuningPerformance measurement and tuning
Performance measurement and tuning
AOE
 
Master Real-Time Streams With Neo4j and Apache Kafka
Master Real-Time Streams With Neo4j and Apache KafkaMaster Real-Time Streams With Neo4j and Apache Kafka
Master Real-Time Streams With Neo4j and Apache Kafka
Neo4j
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
Amr Ali
 
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
Andrey Karpov
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Jeffrey Holden
 
InfluxDB 101 – Concepts and Architecture by Michael DeSa, Software Engineer |...
InfluxDB 101 – Concepts and Architecture by Michael DeSa, Software Engineer |...InfluxDB 101 – Concepts and Architecture by Michael DeSa, Software Engineer |...
InfluxDB 101 – Concepts and Architecture by Michael DeSa, Software Engineer |...
InfluxData
 

Similar to HijackLoader Evolution: Interactive Process Hollowing (20)

Taming the Tiger: Tips and Tricks for Using Telegraf
Taming the Tiger: Tips and Tricks for Using TelegrafTaming the Tiger: Tips and Tricks for Using Telegraf
Taming the Tiger: Tips and Tricks for Using Telegraf
 
Container orchestration from theory to practice
Container orchestration from theory to practiceContainer orchestration from theory to practice
Container orchestration from theory to practice
 
15LLP108_Demo4_LedBlinking.pdf1. Introduction In D.docx
15LLP108_Demo4_LedBlinking.pdf1. Introduction In D.docx15LLP108_Demo4_LedBlinking.pdf1. Introduction In D.docx
15LLP108_Demo4_LedBlinking.pdf1. Introduction In D.docx
 
Kubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on KubernetesKubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on Kubernetes
 
Networks lab
Networks labNetworks lab
Networks lab
 
Networks lab
Networks labNetworks lab
Networks lab
 
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...
 
Using idoc method in lsmw
Using idoc method in lsmwUsing idoc method in lsmw
Using idoc method in lsmw
 
Spinning your Drones with Cadence Workflows and Apache Kafka
Spinning your Drones with Cadence Workflows and Apache KafkaSpinning your Drones with Cadence Workflows and Apache Kafka
Spinning your Drones with Cadence Workflows and Apache Kafka
 
Power ai image-pipeline
Power ai image-pipelinePower ai image-pipeline
Power ai image-pipeline
 
Install Project INK
Install Project INKInstall Project INK
Install Project INK
 
Interoute Virtual Data Centre api 101
Interoute Virtual Data Centre api 101Interoute Virtual Data Centre api 101
Interoute Virtual Data Centre api 101
 
7 hands on
7 hands on7 hands on
7 hands on
 
Dns rebinding
Dns rebindingDns rebinding
Dns rebinding
 
Performance measurement and tuning
Performance measurement and tuningPerformance measurement and tuning
Performance measurement and tuning
 
Master Real-Time Streams With Neo4j and Apache Kafka
Master Real-Time Streams With Neo4j and Apache KafkaMaster Real-Time Streams With Neo4j and Apache Kafka
Master Real-Time Streams With Neo4j and Apache Kafka
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
 
InfluxDB 101 – Concepts and Architecture by Michael DeSa, Software Engineer |...
InfluxDB 101 – Concepts and Architecture by Michael DeSa, Software Engineer |...InfluxDB 101 – Concepts and Architecture by Michael DeSa, Software Engineer |...
InfluxDB 101 – Concepts and Architecture by Michael DeSa, Software Engineer |...
 

Recently uploaded

Tarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy FearsTarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur
 
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
ffg01100
 
Build a Professional Resume using Canva , Tanapat Limsaiprom
Build a Professional Resume using Canva , Tanapat LimsaipromBuild a Professional Resume using Canva , Tanapat Limsaiprom
Build a Professional Resume using Canva , Tanapat Limsaiprom
TanapatLimsaiprom1
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
adelewhite125
 
2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage
Zsolt Nemeth
 
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
shamrisumri
 
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
mahigarg2024#G05
 
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai AvailableChennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
shamrisumri
 
AWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaipromAWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaiprom
ธนาพัฒน์ ลิ้มสายพรหม
 
Trading Strategy for London silver bullet
Trading Strategy for London silver bulletTrading Strategy for London silver bullet
Trading Strategy for London silver bullet
OkgatoSemadi1
 
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
ffg01100
 
Quiz Quiz Hota Hai (School Quiz 2018-19)
Quiz Quiz Hota Hai (School Quiz 2018-19)Quiz Quiz Hota Hai (School Quiz 2018-19)
Quiz Quiz Hota Hai (School Quiz 2018-19)
Kashyap J
 
6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App
VPN Server
 
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
elbertablack
 
Web development Platform Constraints.pptx
Web development Platform Constraints.pptxWeb development Platform Constraints.pptx
Web development Platform Constraints.pptx
ssuser2f6682
 
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdfHow-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
Dolphin Data Lab
 
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5  hot nhấtBai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5  hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Thiên Đường Tình Yêu
 
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
shamrisumri
 
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdfTop 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Krishna L
 
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirtsJarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
exgf28
 

Recently uploaded (20)

Tarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy FearsTarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy Fears
 
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
 
Build a Professional Resume using Canva , Tanapat Limsaiprom
Build a Professional Resume using Canva , Tanapat LimsaipromBuild a Professional Resume using Canva , Tanapat Limsaiprom
Build a Professional Resume using Canva , Tanapat Limsaiprom
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
 
2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage
 
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
 
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
 
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai AvailableChennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
 
AWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaipromAWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaiprom
 
Trading Strategy for London silver bullet
Trading Strategy for London silver bulletTrading Strategy for London silver bullet
Trading Strategy for London silver bullet
 
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
 
Quiz Quiz Hota Hai (School Quiz 2018-19)
Quiz Quiz Hota Hai (School Quiz 2018-19)Quiz Quiz Hota Hai (School Quiz 2018-19)
Quiz Quiz Hota Hai (School Quiz 2018-19)
 
6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App
 
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
 
Web development Platform Constraints.pptx
Web development Platform Constraints.pptxWeb development Platform Constraints.pptx
Web development Platform Constraints.pptx
 
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdfHow-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
 
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5  hot nhấtBai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5  hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
 
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
 
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdfTop 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
 
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirtsJarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
 

HijackLoader Evolution: Interactive Process Hollowing

  • 1. DONATO ONOFRI, SR. RED TEAM ENGINEER EMANUELE CALVELLI, THREAT RESEARCH ENGINEER HIJACKLOADER EVOLUTION: INTERACTIVE PROCESS HOLLOWING
  • 2. AGENDA ▪ HijackLoader ▪ Process Hollowing ▪ Interactive Process Hollowing ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 3. HIJACKLOADER ▪ Described for the first time Summer 2023 ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ▪ Aka IDAT Loader: it use a sophisticated shellcode loading mechanisms by hiding in downloaded PNG
  • 4. HIJACKLOADER ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ▪ Malware used as first stage on initial access mainly for evasion and loading of malicious tool like Info Stealer, Remote Access Tool, CobaltStrike, etc.
  • 5. HIJACKLOADER – EXECUTION CHAIN ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 6. HIJACKLOADER – EXECUTION CHAIN ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Today we focus on step 3
  • 8. PROCESS HOLLOWING ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. https://attack.mitre.org/techniques/T1055/012/
  • 9. PROCESS HOLLOWING ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. PROCESS A PROCESS B Create Suspended Process PROCESS A Allocate & Write Shellcode PROCESS B PROCESS A Modify Instruction Pointer PROCESS B PROCESS A executed Injected Shellcode in PROCESS B PROCESS A Resume from Suspension PROCESS B
  • 10. HIJACKLOADER HOLLOWING VARIATION: INTERACTIVE PROCESS HOLLOWING ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. HIJACKLOADER Create Process NOT Suspended! Allocate & Write Shellcode Suspend Resume from Suspension HIJACKLOADER HIJACKLOADER HIJACKLOADER CMD.EXE CMD.EXE CMD.EXE CMD.EXE HIJACKLOADER Modify Instruction Pointer CMD.EXE NOTHING HAPPEN! STDIN redirected to a Pipe
  • 11. INTERACTIVE PROCESS HOLLOWING++ ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. HIJACKLOADER Create Process NOT Suspended! Allocate & Write Shellcode HIJACKLOADER CMD.EXE CMD.EXE HIJACKLOADER Modify Instruction Pointer CMD.EXE Write rn to the STDIN PIPE HIJACKLOADER CMD.EXE STDIN redirected to a Pipe
  • 12. INTERACTIVE PROCESS HOLLOWING++ 1. Create Process: spawning the cmd.exe process to inject the malicious code by redirecting STDIN and STDOUT to pipes. Notably, this process isn’t suspended, making it appear less suspicious. ▪ Cmd.exe waits to read input from the STDIN pipe: the NtReadFile syscall sets its main thread’s state to Waiting and _KWAIT_REASON to Executive, signifying that it’s awaiting the execution of kernel code operations and their return. 2. Allocate and Write Shellcode: This is where the shellcode is written into the cmd.exe child process. 3. Modify Instruction Pointer: HijackLoader sets the conditions to redirect the execution flow of the cmd.exe child process to the previously written shellcode’s address by modifying the EIP/RIP in the remote thread CONTEXT. 4. Write to the STDIN PIPE: Here, data is written to the STDIN pipe, sending an input to the cmd.exe process. This action resumes the execution of the child process from the NtReadFile operation, thus triggering the execution of the shellcode. ▪ Before returning to user space, the kernel is reading and restoring the values saved in the _KTRAP_FRAME structure (containing the EIP/RIP register value) to resume from where the syscall was called. ▪ By modifying the CONTEXT in the previous step, the loader hijacks the resuming of the execution toward the shellcode address without the need to suspend and resume the thread, which this technique usually requires. ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 13. INTERACTIVE PROCESS HOLLOWING++ ▪ Create Process: spawning the cmd.exe process to inject the malicious code by redirecting STDIN and STDOUT to pipes. Notably, this process isn’t suspended, making it appear less suspicious. ▪ Cmd.exe waits to read input from the STDIN pipe: the NtReadFile syscall sets its main thread’s state to Waiting and _KWAIT_REASON t o Executive, signifying that it’s awaiting the execution of kernel code operations and their return.
  • 14. INTERACTIVE PROCESS HOLLOWING++ ▪ Write to the STDIN PIPE: Here, data is written to the STDIN pipe, sending an input to the cmd.exe process. This action resumes the execution of the child process from the NtReadFile operation, thus triggering the execution of the shellcode. ▪ Before returning to user space, the kernel is reading and restoring the values saved in the _KTRAP_FRAME structure (containing the EIP/RIP register value) to resume from where the syscall was called. ▪ By modifying the CONTEXT in the previous step, the loader hijacks the resuming of the execution toward the shellcode address without the need to suspend and resume the thread, which this technique usually requires ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 15. FALCON ® ▪ CrowdStrike employs a layered approach for malware detection using machine learning and indicators of attack (IOAs). ▪ the CrowdStrike Falcon® sensor’s machine learning capabilities can automatically detect and prevent HijackLoader in the initial stages of the attack chain; i.e., as soon as the malware is downloaded onto the victim’s machine. ▪ Moreover, behavior-based detection capabilities (IOAs) can recognize malicious behavior at various stages of the attack chain, including when employing tactics like process injection attempts. “Dark magic leaves traces..” (Albus Dumbledore) ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 16. FALCON ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 17. FALCON ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 18. THANK YOU ©2024 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Questions?